Mandel Ngan/Getty

New York’s attorney general is investigating why Facebook helped itself to the email contact lists of 1.5 million people who gave the company their passwords as part of Facebook’s new account setup process.

“It is time Facebook is held accountable for how it handles consumers’ personal information,” said Attorney General Letitia James in a statement announcing the latest probe of Facebook’s privacy practices. “Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data.”

Early this month The Daily Beast reported that Facebook’s onboarding system was demanding some new users turn over the password for their email account, so the company could log in as the user and confirm it was really their address—a system one security expert called “beyond sketchy.”

The additional login step had been noticed by a cybersecurity watcher on Twitter called “e-sushi.” Within hours of The Daily Beast’s report, Facebook announced it was ending the practice. “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” the company wrote in a statement at the time.

Facebook explained the password demand as a misbegotten but well-intended feature meant to simplify sign-ups. But last week, Facebook confessed to Business Insider that it used the passwords for more than just email verification.

The harvesting was not done in secret. Facebook showed the user a progress bar as it ingested the names and email addresses of their friends, colleagues, and loved ones, but didn’t provide a way to stop the process.

According to the attorney general’s announcement, the purloined contact lists were used for “targeted marketing” and affected far more people than Facebook’s official numbers reflect.

“While Facebook has admitted that 1.5 million people’s contact books were directly harvested, the total number of people whose contact information was improperly obtained by Facebook may be hundreds of millions, as people can have hundreds of contacts stored on their contact databases,” the attorney general’s office said in its statement.

It’s not the first time Facebook has repurposed personal information handed over by users.